Permalink
Browse files

Merge pull request #97 from mozilla/96-remove-universal-cors

96 remove universal cors
  • Loading branch information...
2 parents 79db9ae + 2191b52 commit 317cdc709e0f79b239b44093924ed33d460916b9 @cmcavoy cmcavoy committed Mar 26, 2012
Showing with 87 additions and 10 deletions.
  1. +4 −9 app.js
  2. +10 −0 middleware.js
  3. +13 −0 test/conmock-test.js
  4. +5 −1 test/conmock.js
  5. +55 −0 test/middleware-test.js
View
@@ -28,13 +28,14 @@ app.helpers({
badges: {},
reverse: router.reverse,
});
+
app.dynamicHelpers({
user: function(req, res){
return req.user || null;
}
});
-// Middleware. See `middleware.js` for more information on the custom
-// middleware used.
+
+// Middleware. See `middleware.js`
app.use(express.static(path.join(__dirname, "static")));
app.use(express.static(path.join(configuration.get('var_dir'), "badges")));
app.use(middleware.noFrame({ whitelist: [ '/issuer/frame', '/', '/share/.*' ] }));
@@ -45,13 +46,7 @@ app.use(middleware.logRequests());
app.use(middleware.cookieSessions());
app.use(middleware.userFromSession());
app.use(middleware.csrf({ whitelist: ['/issuer/validator/?'] }));
-
-// Allow everything to be used with CORS.
-// This should probably just be limited to badges
-app.use(function(req, res, next) {
- res.header("Access-Control-Allow-Origin", "*");
- next();
-});
+app.use(middleware.cors({ whitelist: ['/_badges.*', '/issuer.*', '/baker'] }));
router(app)
.get('/baker', 'baker.baker')
View
@@ -93,6 +93,16 @@ exports.noFrame = function(opts) {
};
};
+exports.cors = function (options) {
+ var options = options || {}
+ var list = options.whitelist || []
+ if (typeof list === 'string') list = [list];
+ return function(req, res, next){
+ if (!whitelisted(list, req.url)) return next();
+ res.header("Access-Control-Allow-Origin", "*");
+ return next();
+ }
+}
// #FIXME: This was pulled from connect/lib/middleware/csrf.js
// The current version of the csrf middleware checks the token on
View
@@ -58,6 +58,19 @@ vows.describe('Connection mocking').addBatch({
mock.headers['oh'].should.equal('hai');
},
},
+ '#next': {
+ topic: function () {
+ function mware (request, response, next) {
+ response.header('oh', 'hai');
+ next();
+ };
+ conmock(mware, {}, this.callback);
+ },
+ 'callback gets called, knows headers': function (err, mock) {
+ mock.headers['oh'].should.equal('hai');
+ }
+ },
+
'#contentType' : {
'given "json"': {
topic: function () {
View
@@ -44,7 +44,11 @@ conmock = function (fn, request, callback) {
callback(null, this);
},
};
- return fn(request, response);
+ function next () {
+ response.fntype = 'next';
+ callback(null, response);
+ }
+ return fn(request, response, next);
};
module.exports = conmock;
@@ -0,0 +1,55 @@
+var vows = require('vows');
+var assert = require('assert');
+var should = require('should');
+var middleware = require('../middleware.js');
+var conmock = require('./conmock.js');
+
+vows.describe('middlware tests').addBatch({
+ '#cors': {
+ 'no whitelist' : {
+ 'topic' : function () {
+ var hdlr = middleware.cors();
+ conmock(hdlr, {}, this.callback);
+ },
+ 'does not add header' : function (err, mock) {
+ should.not.exist(mock.headers['Access-Control-Allow-Origin'], 'CORS header present when it should not be.');
+ },
+ },
+ 'whitelist is a string, url not on it' : {
+ 'topic' : function () {
+ var hdlr = middleware.cors({ whitelist: '/foo' });
+ conmock(hdlr, { url: '/bar' }, this.callback);
+ },
+ 'does not add header' : function (err, mock) {
+ should.not.exist(mock.headers['Access-Control-Allow-Origin'], 'CORS header present when it should not be.');
+ },
+ },
+ 'whitelist is a string, url matches' : {
+ 'topic' : function () {
+ var hdlr = middleware.cors({ whitelist: '/foo' });
+ conmock(hdlr, { url: '/foo' }, this.callback);
+ },
+ 'should add CORS header' : function (err, mock) {
+ should.exist(mock.headers['Access-Control-Allow-Origin'], 'CORS header not present when it should be.');
+ },
+ },
+ 'whitelist is a list, url matches' : {
+ 'topic' : function () {
+ var hdlr = middleware.cors({ whitelist: ['/bar', '/f..'] });
+ conmock(hdlr, { url: '/foo' }, this.callback);
+ },
+ 'should add CORS header' : function (err, mock) {
+ should.exist(mock.headers['Access-Control-Allow-Origin'], 'CORS header not present when it should be.');
+ },
+ },
+ 'whitelist is a list, url does not match' : {
+ 'topic' : function () {
+ var hdlr = middleware.cors({ whitelist: ['/bar', '/f..'] });
+ conmock(hdlr, { url: '/rad' }, this.callback);
+ },
+ 'should add CORS header' : function (err, mock) {
+ should.not.exist(mock.headers['Access-Control-Allow-Origin'], 'CORS header present when it should not be.');
+ },
+ },
+ },
+}).export(module);

0 comments on commit 317cdc7

Please sign in to comment.